"In God we trust. Everybody else we verify using PGP!"
Tim Newsome

PGP acronym for "Pretty Good Privacy", is a computer program created by Phil Zimmermann in 1991 to encrypt and decrypt information using public key cryptography.

On 1993 Phil Zimmerman was accused by the US government for "munitions export without a license" because cryptosystems using keys larger than 40 bits were then considered munitions at the moment and PGP always used keys bigger than 128 bits. That created a lot of legal problems for Zimmerman but also helped PGP to get its fame.

Long history short, Zimmerman proposed in 1997 to create a standard called OpenPGP, that standard was accepted by the IETF using as specification the document RFC 4880 and that way a lot of applications were created that could exchange encrypted messages among themselves.

The Free Software Foundation created its own implementation of the OpenPGP standard and called it GNU Privacy Guard, also called “GnuPG” or GPG for short.

What can PGP/GPG do for you?


In the previous lesson we saw what crypto is, now we have an idea about what PGP is, but why should you use it? What can it do for you?

PGP/GPG can:

Encrypt messages: You will be able to encrypt messages ensuring only the desired recipient can read it. There is no known way of decrypting it without using the appropriate key, trying all the possible combinations would take about 10,000,000,000,000 years, that is 1000 times the age of the universe. Decrypt messages: You will be able to decrypt the message others send to you. Sign messages: You can digitally sign a message and that way authenticating that you really wrote it. Verify signatures: You can verify if a message was written by the person who supposedly did it.

Why should you use PGP/GPG?

When you operate over a compromised channel, like Internet, the phone or radio waves, you should expect that Big Brother will be listening and/or recording the communication someplace.

Someone could even send messages claiming to be you, specially using email, have you seen in your spam folder an email sent from your own account trying to sell you something? Is not that your account was hacked, what happened is that a spammer “forged” that email to look like it was sent from your account. Email sucks I’ll write about it in the close future.

So you should use PGP/GPG to ensure that the messages exchanged in your group can only be read by the desired recipients and that the authors really are who they claim to be.

Private key backup

You should do a private key backup, exporting it and then saving it in a CD or a pendrive to be stored in your safe box, geocache or whatever you like. You can also use the backup to install the key in many devices where you would like to work with encrypted messages. If your key gets stolen, it is still protected by a symmetric encryption, that’s why you need to type your passphrase every time you use your private key. Also you could create and store a “revocation certificate” to be published to notify others that the public key should no longer be used because it was compromised or the passphrase lost.

PGP/GPG file extensions

Whenever you encrypt or export a key to a file, PGP/GPG will create files whose extension could be .asc, .pgp or .gpg.

.asc files are “ASCII armored” that means the encrypted data is stored as readable characters that you will be able to see in any text editor, this format is extremely helpful to use in emails as you can copy/paste the text. These files have a header and a tail indicating the beginning and the end of the PGP/GPG data, something like “-----BEGIN PGP PUBLIC KEY BLOCK-----”, or “-----BEGIN PGP MESSAGE-----”. Remember to include those beginning and end indicators and that if you manually change the content between them the file will get corrupted. ASCII armor is better suited for small files or text messages as armoring the message makes it bigger.

.pgp/.gpg files are binary files, you can’t see the contents using a text editor, you could attach these files to your emails. This is more useful when you encrypt big files as encrypted files will be smaller than ASCII armored files.

PGP/GPG practice

Enough chit chat, is time to learn practicing. This week the practice will be to install GPG on your computer and create your key pair, after you create the keys I want you to post your public key in the forum HERE so we can all start communicating among ourselves securely.

Depending on your OS you will need to download the appropriate OpenPGP implementation for your platform. You will notice that each implementation includes a suite of tools that will help you in your daily encryption tasks, for instance right clicking a file you will see the option to encrypt/decrypt files etc. Also is extremely useful the tool to manage your keyring, that is your collection of other people public keys.

In a following lesson we will install a tool to help you send and receive encrypted messages transparently, but you need your keys in order to do that… so, let’s install the GPG.

1 - Download the appropriate software:


2 - Follow the installation steps, I’m extremely sorry if you use Mac but I have no clue on how it is, probably is just the same that the others, but I never touched a Mac in my life and I’m not planing to change that. Why? I’ll tell you about in the Free software lesson. Lucky for you Mac guys, there is a video explaining how to install GPGTools and create your keys HERE.

3 - Create your key pair. Computationally today isn’t a problem to use 4096 bits keys, so go for them! If you are using windows you'll need to select "advanced settings" in the screen where you type your name and email, and then select 4096 bits as the RSA key size.

Use the real email account that you plan to use to exchange encrypted messages.
If you use a fake account GPG Mail integration won't be able to automatically know what public key to use for encrypting the messages!

Also remember to use a good passphrase, it is used to symmetrically encrypt your private key so no one else can use it even if it gets stolen from your computer or backup. You can follow this excellent text guide on how to create your keys in Windows and Linux from the guys, or you can follow the steps in these videos:



Another Linux video:


4 - If you reached this step that means you have successfully generated your key pair. To share your public key open your keyring management tool and select the option to export your public key. Get your newly exported public key and post it in a new thread HERE.
Remember to name your public key export file like this [your Name]PublicKey.asc, for instance APX808PublicKey.asc

5 - It would take me a lifetime to explain every suite for each OS, so it will be awesome if you read some documentation of your corresponding GPG implementation or watch a few youtube videos about it. If you play a little with the tools you’ll see that encrypting/decrypting files isn’t so complicated. Just right click over a file and select the option encrypt/sign it, and a menu will ask you what public key should GPG use to encrypt it. Decryption works the same way, you can find a few videos on Youtube showing you this.

Let’s see who is the first one in sharing his key, and don’t forget I’m here to help you if you need assistance!

No comments:

hit counter script